From 00f11b10dacadae4c4a72ab0827a87dc9713357f Mon Sep 17 00:00:00 2001 From: thiagolabs <31451686+thiagolabs@users.noreply.github.com> Date: Tue, 29 Aug 2017 20:48:03 -0300 Subject: [PATCH 1/4] Add files via upload --- httpsscan.sh | 172 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 131 insertions(+), 41 deletions(-) diff --git a/httpsscan.sh b/httpsscan.sh index a77f206..761a472 100644 --- a/httpsscan.sh +++ b/httpsscan.sh @@ -42,7 +42,8 @@ VERSION=1.8.2 function Help { echo "-------------------------------" -echo "Use: ./httpsscan IP PORT OP" +echo "Use: ./httpsscan IPSRCFILE PORTSRCFILE OP" +echo "Ex: $0 /tmp/hosts /tmp/ports ssl2" echo -e "OP: all, --all, a ssl2, --ssl2 @@ -69,219 +70,308 @@ echo "### ### ### ### ### ######## ######## ######## ## echo "V. $VERSION by Alexos Core Labs " if [ $# -ne 3 ]; then - echo Usage: $0 IP PORT OP + echo Usage: $0 IPSRCFILE PORTSRCFILE OP + echo "Ex: $0 /tmp/hosts /tmp/ports ssl2" Help exit fi -HOST=$1 -PORT=$2 -TARGET=$HOST:$PORT OP=$3 red=`tput setaf 1 2>/dev/null` +green=`tput setaf 2 2>/dev/null` reset=`tput sgr0 2>/dev/null` timeout_bin=`which timeout 2>/dev/null` -function ssl2 { +function ssl2() { echo echo "${red}==> ${reset} Checking SSLv2 (CVE-2011-1473) (CVE-2016-0800)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl2 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish SSLv2 connection.' + echo "${green}Not vulnerable.${reset} Failed to establish SSLv2 connection." else echo "${red}Vulnerable!${reset} SSLv2 connection established using $proto/$cipher" fi + done +done } function crime { echo echo "${red}==> ${reset} Checking CRIME (CVE-2012-4929)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null`" compr=`echo "$ssl" |grep 'Compression: ' | awk '{ print $2 } '` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$compr" = 'NONE' ] || [ "$compr" = "" ]; then - echo 'Not vulnerable. TLS Compression is not enabled.' + echo "${green}Not vulnerable.${reset} TLS Compression is not enabled." else echo "${red}Vulnerable!${reset} Connection established using $compr compression." fi + done +done } function rc4 { echo echo "${red}==> ${reset} Checking RC4 (CVE-2013-2566)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher RC4 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then -echo 'Not vulnerable. Failed to establish RC4 connection.' +echo "${green}Not vulnerable.${reset} Failed to establish RC4 connection." else echo "${red}Vulnerable!${reset} Connection established using $proto/$cipher" fi + done +done } function heartbleed { echo echo "${red}==> ${reset} Checking Heartbleed (CVE-2014-0160)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo "QUIT"|openssl s_client -connect "$TARGET" -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe 2>/dev/null`" +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$ssl" = 'safe' ]; then - echo 'The host is not vulnerable to Heartbleed attack.' + echo "The host is ${green}not vulnerable${reset} to Heartbleed attack." else echo "${red}Vulnerable!${reset} The host is vulnerable to Heartbleed attack." fi + done +done } function poodle { echo echo "${red}==> ${reset} Checking Poodle (CVE-2014-3566)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '0000' -o "$cipher" = '(NONE)' ] || [ "$cipher" = "" ]; then - echo 'Not vulnerable. Failed to establish SSLv3 connection.' + echo "${green}Not vulnerable.${reset} Failed to establish SSLv3 connection." else echo "${red}Vulnerable!${reset} SSLv3 connection established using $proto/$cipher" fi + done +done } function freak { echo echo "${red}==> ${reset} Checking FREAK (CVE-2015-0204)" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with an EXPORT cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with an EXPORT cipher." else echo "${red}Vulnerable!${reset} Connection established using $cipher" fi + done +done } function null { echo echo "${red}==> ${reset}Checking NULL Cipher" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher NULL -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` + +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with a NULL cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with a NULL cipher." else echo "${red}Vulnerable!${reset} Connection established using $cipher" fi + done +done } - function weak40 { echo echo "${red}==> ${reset} Checking Weak Ciphers" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT40 -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with 40 bit cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with 40 bit cipher." else echo "${red}Vulnerable!${reset} Connection established using 40 bit cipher" fi + done +done } function weak56 { echo echo "${red}==> ${reset} Checking Weak Ciphers" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT56 -connect "$TARGET" 2>/dev/null`" cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' ]; then - echo 'Not vulnerable. Failed to establish connection with 56 bit cipher.' + echo "${green}Not vulnerable.${reset} Failed to establish connection with 56 bit cipher." else echo "${red}Vulnerable!${reset} Connection established using 56 bit cipher" fi + done +done } function forward { echo echo "${red}==> ${reset}Checking Forward Secrecy" +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher 'ECDH:DH' -connect "$TARGET" 2>/dev/null`" proto=`echo "$ssl" | grep '^ *Protocol *:' | awk '{ print $3 }'` cipher=`echo "$ssl" | grep '^ *Cipher *:' | awk '{ print $3 }'` +echo -e "\n Checking $HOST:$PORT... \n" + if [ "$cipher" = '' -o "$cipher" = '(NONE)' ]; then echo 'Forward Secrecy is not enabled.' else echo "Enabled! Established using $proto/$cipher" fi + done +done } -function online { +function online() { +for HOST in `cat $1`; do + for PORT in `cat $2`; do + TARGET=$HOST:$PORT ssl="`echo Q | openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" if [ "$ssl" -lt 5 ]; then - echo "Host $TARGET is unreachable. Halting test." - exit -1 + echo + echo "Host $TARGET is unreachable." + #exit -1 fi + done +done } #---------------------------------------------------------------------------------------------------------------------------------- -online echo -echo [*] Analyzing SSL/TLS Vulnerabilities on $HOST:$PORT ... +echo [*] Analyzing SSL/TLS Vulnerabilities... echo echo Generating Report...Please wait +online $1 $2 + # Nova chamada das funções: case $3 in "--help"|"help") Help;; "all"|"--all"|"a") - ssl2 - crime - rc4 - heartbleed - poodle - freak - null - weak40 - weak56 - forward;; + ssl2 $1 $2 + crime $1 $2 + rc4 $1 $2 + heartbleed $1 $2 + poodle $1 $2 + freak $1 $2 + null $1 $2 + weak40 $1 $2 + weak56 $1 $2 + forward $1 $2 + ;; "ssl2"|"--ssl2") - ssl2;; + ssl2 $1 $2 + ;; "crime"|"--crime") - crime;; + crime $1 $2 + ;; "rc4"|"--rc4") - rc4;; + rc4 $1 $2 + ;; "heartbleed"|"--heartbleed") - heartbleed;; + heartbleed $1 $2 + ;; "poodle"|"--poodle") - poodle;; + poodle $1 $2 + ;; "freak"|"--freak") - freak;; + freak $1 $2 + ;; "null"|"--null") - null;; + null $1 $2 + ;; "weak40"|"--weak40") - weak40;; + weak40 $1 $2 + ;; "weak56"|"--weak56") - weak56;; + weak56 $1 $2 + ;; "forward"|"--forward") - forward;; + forward $1 $2 + ;; *) echo -e "${red}Parameter invalid, check --help${reset}" esac From 7c8a3d1270cd2f26e2864ed8f93d2771fafd9c90 Mon Sep 17 00:00:00 2001 From: thiagolabs <31451686+thiagolabs@users.noreply.github.com> Date: Tue, 29 Aug 2017 20:51:45 -0300 Subject: [PATCH 2/4] Add files via upload --- httpsscan.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/httpsscan.sh b/httpsscan.sh index 761a472..2e80090 100644 --- a/httpsscan.sh +++ b/httpsscan.sh @@ -310,7 +310,6 @@ ssl="`echo Q | openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" if [ "$ssl" -lt 5 ]; then echo echo "Host $TARGET is unreachable." - #exit -1 fi done done From 6ad7f2d54a57af8a19a4304dd00ddd656b5f3a04 Mon Sep 17 00:00:00 2001 From: thiagolabs <31451686+thiagolabs@users.noreply.github.com> Date: Tue, 29 Aug 2017 22:52:58 -0300 Subject: [PATCH 3/4] Add files via upload --- httpsscan.sh | 85 +++++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 41 deletions(-) diff --git a/httpsscan.sh b/httpsscan.sh index 2e80090..0253fe7 100644 --- a/httpsscan.sh +++ b/httpsscan.sh @@ -42,8 +42,9 @@ VERSION=1.8.2 function Help { echo "-------------------------------" -echo "Use: ./httpsscan IPSRCFILE PORTSRCFILE OP" -echo "Ex: $0 /tmp/hosts /tmp/ports ssl2" +echo "Use: ./httpsscan TARGET_FILE -p TARGET_PORTs OP" +echo "Ex: $0 /tmp/hosts -p 443 ssl2" +echo "Ex: $0 /tmp/hosts -p 443,4443 ssl2" echo -e "OP: all, --all, a ssl2, --ssl2 @@ -69,25 +70,27 @@ echo "#+# #+# #+# #+# #+# #+# #+##+# #+##+# #+## echo "### ### ### ### ### ######## ######## ######## ### ###### #### " echo "V. $VERSION by Alexos Core Labs " -if [ $# -ne 3 ]; then - echo Usage: $0 IPSRCFILE PORTSRCFILE OP - echo "Ex: $0 /tmp/hosts /tmp/ports ssl2" +if [ $# -ne 4 ]; then + echo Usage: $0 TARGET_FILE -p TARGET_PORTs OP + echo "Ex: $0 /tmp/hosts -p 443 ssl2" + echo "Ex: $0 /tmp/hosts -p 443,4443 ssl2" Help exit fi - -OP=$3 +TARGET_PORTS="$3"; PORTS=`echo $TARGET_PORTS | sed -e 's/,/ /g'` +OP=$4 red=`tput setaf 1 2>/dev/null` green=`tput setaf 2 2>/dev/null` reset=`tput sgr0 2>/dev/null` timeout_bin=`which timeout 2>/dev/null` + function ssl2() { echo echo "${red}==> ${reset} Checking SSLv2 (CVE-2011-1473) (CVE-2016-0800)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl2 -connect "$TARGET" 2>/dev/null`" @@ -110,7 +113,7 @@ function crime { echo echo "${red}==> ${reset} Checking CRIME (CVE-2012-4929)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null`" @@ -131,7 +134,7 @@ function rc4 { echo echo "${red}==> ${reset} Checking RC4 (CVE-2013-2566)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher RC4 -connect "$TARGET" 2>/dev/null`" @@ -153,7 +156,7 @@ function heartbleed { echo echo "${red}==> ${reset} Checking Heartbleed (CVE-2014-0160)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo "QUIT"|openssl s_client -connect "$TARGET" -tlsextdebug 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe 2>/dev/null`" @@ -173,7 +176,7 @@ function poodle { echo echo "${red}==> ${reset} Checking Poodle (CVE-2014-3566)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "$TARGET" 2>/dev/null`" @@ -196,7 +199,7 @@ function freak { echo echo "${red}==> ${reset} Checking FREAK (CVE-2015-0204)" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT -connect "$TARGET" 2>/dev/null`" @@ -217,7 +220,7 @@ function null { echo echo "${red}==> ${reset}Checking NULL Cipher" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher NULL -connect "$TARGET" 2>/dev/null`" @@ -238,7 +241,7 @@ function weak40 { echo echo "${red}==> ${reset} Checking Weak Ciphers" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT40 -connect "$TARGET" 2>/dev/null`" @@ -261,7 +264,7 @@ function weak56 { echo echo "${red}==> ${reset} Checking Weak Ciphers" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher EXPORT56 -connect "$TARGET" 2>/dev/null`" @@ -283,7 +286,7 @@ function forward { echo echo "${red}==> ${reset}Checking Forward Secrecy" for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT ssl="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -cipher 'ECDH:DH' -connect "$TARGET" 2>/dev/null`" @@ -304,9 +307,9 @@ done function online() { for HOST in `cat $1`; do - for PORT in `cat $2`; do + for PORT in ${PORTS[@]}; do TARGET=$HOST:$PORT -ssl="`echo Q | openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" +ssl="`echo Q | ${timeout_bin:+$timeout_bin 5} openssl s_client -connect "$TARGET" 2>/dev/null | wc -l`" if [ "$ssl" -lt 5 ]; then echo echo "Host $TARGET is unreachable." @@ -322,54 +325,54 @@ echo echo [*] Analyzing SSL/TLS Vulnerabilities... echo echo Generating Report...Please wait -online $1 $2 +online $1 # Nova chamada das funções: -case $3 in +case $4 in "--help"|"help") Help;; "all"|"--all"|"a") - ssl2 $1 $2 - crime $1 $2 - rc4 $1 $2 - heartbleed $1 $2 - poodle $1 $2 - freak $1 $2 - null $1 $2 - weak40 $1 $2 - weak56 $1 $2 - forward $1 $2 + ssl2 $1 + crime $1 + rc4 $1 + heartbleed $1 + poodle $1 + freak $1 + null $1 + weak40 $1 + weak56 $1 + forward $1 ;; "ssl2"|"--ssl2") - ssl2 $1 $2 + ssl2 $1 ;; "crime"|"--crime") - crime $1 $2 + crime $1 ;; "rc4"|"--rc4") - rc4 $1 $2 + rc4 $1 ;; "heartbleed"|"--heartbleed") - heartbleed $1 $2 + heartbleed $1 ;; "poodle"|"--poodle") - poodle $1 $2 + poodle $1 ;; "freak"|"--freak") - freak $1 $2 + freak $1 ;; "null"|"--null") - null $1 $2 + null $1 ;; "weak40"|"--weak40") - weak40 $1 $2 + weak40 $1 ;; "weak56"|"--weak56") - weak56 $1 $2 + weak56 $1 ;; "forward"|"--forward") - forward $1 $2 + forward $1 ;; *) echo -e "${red}Parameter invalid, check --help${reset}" From 5bf19cce15717099b7186513e633571833a5f050 Mon Sep 17 00:00:00 2001 From: thiagolabs <31451686+thiagolabs@users.noreply.github.com> Date: Tue, 29 Aug 2017 23:09:11 -0300 Subject: [PATCH 4/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ec83b81..25af63c 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Cygwin dependencies: Usage: -bash httpsscan.sh [target] [port] [option] +bash httpsscan.sh [target_file] -p [ports] [option] Options: